The Internet remains a growing public network. Many companies rely on communication over the Internet using Internet Protocol (“IP”) to facilitate their business endeavors. For security in communication over the Internet, a computer may be configured to track and screen communications. This configuration is known as a “firewall,” and one or more of the actions of which may be referred to as “firewalling.”
In a “stateful firewall,” a set of values uniquely identifying each existing connection (“state of each active connection”) is maintained, subject to deactivation or disconnection. Conventionally, five values are used to form such a set. These five values are sometimes collectively referred to as a “five-tuple” entry. A five-tuple entry includes respective values for IP Source Address, IP Destination Address, IP Protocol, Transport Layer Source Port (“Source Port”), and Transport Layer Destination Port (“Destination Port”). Examples of IP Protocols include User Datagram Protocol (“UDP”) and Transmission Control Protocol (“TCP”). In a UDP or TCP packet, there are IP Source and Destination Addresses in the IP packet header. In a UDP or TCP packet, Source and Destination Ports are in the UDP or TCP header, respectively, as well as an IP Protocol value indicating whether the packet is a UDP or TCP packet. For clarity, a TCP packet is described below, though it will be apparent that a UDP packet may be used.
In a connection using TCP (“a TCP connection”), namely, where TCP packets are exchanged, there is a received packet (“an inbound packet”) and a sent packet (“an outbound packet”). Notably, five-tuple entries for inbound and outbound packets are the same except that Source and Destination Addresses are reversed, and Source and Destination Ports are reversed. Of course, in each of these two related five-tuple entries, IP Protocol is the same in both inbound and outbound packets.
In a stateful firewall, a data structure, such as an array, may have respective columns indexed to five-tuple categories of information where each row represents an active connection. Additional columns may be used depending on the level of detail used to evaluate each connection. Such a data structure may be referred to as a “table,” indicating a tabularized form of information whether or not headings are used. Five-tuple entries for inbound and outbound packets are stored in a connection table. Connection table stored five-tuple entries are used to compare against five-tuples of inbound and outbound packets to determine whether or not the packets are for use with an existing connection.
When Network Address Translation (“NAT”) is employed, five-tuple information is stored to indicate Public IP Address and Public Transport Layer Port (“Public Port”) of a NAT configured device (“gateway”). The term “Public” is used to indicate that the address and port of the gateway are accessible from outside a local network associated with the gateway. The term “Remote” is used to indicate a device outside of a local network of the gateway. Notably, the gateway device may be a separate computer or installed in a “Local” computer. The term “Local” refers to a device on a local network of the gateway. For NAT, instances of inbound packets to a NAT gateway, a five-tuple entry includes: an IP Source Address (“Remote IP Address”); an IP Destination Address (“Public IP Address”); a Source Port (“Remote Source Port”); and a Destination Port (“Public Destination Port”). For NAT, instances of outbound packets to a NAT gateway, a five-tuple entry includes: an IP Source Address (“Local IP Address”); an IP Destination Address (“Remote IP Address”); Source Port (“Local Source Port”); Destination Port (“Remote Destination Port”); and IP Protocol.
When an inbound packet having a five-tuple from a Remote device is received by a gateway where the five-tuple matches one stored in a NAT table, the gateway translates such an inbound packet for routing. Using the above describe convention, the five-tuple includes: IP Source Address (“Remote IP Address”); IP Destination Address (“Local IP Address”); Source Port (“Remote Source Port”); Destination Port (“Local Destination Port”); and IP Protocol. This is because a packet from a Remote device is sent to a gateway using Public information, which after found to be part of an active connection is used for address translation for routing to a Local device.
When an outbound packet having a five-tuple from a local device is received by a gateway where the five-tuple matches one stored in a NAT table, the gateway translates such an outbound packet for routing. Using the above described convention, the five-tuple includes: IP Source Address (“Public IP Address”); IP Destination Address (“Remote IP Address”); Source Port (“Public Source Port”); Destination Port (“Remote Destination Port”); and IP Protocol. For clarity, the terms Remote, Local and Public are used below whether or not NAT is being used.
Furthermore, to enhance firewalling security, encrypted information may be established for a connection. Examples of protocols for enhanced security on the Internet include Point-to-Point Tunneling Protocol (“PPTP”) and a set of protocols known collectively as Internet Protocol Security (“IPSec”). However, fragmentation of IP packets has been used to defeat firewalls, such as the so-called “ping-of-death,” “wedge” and “tiny fragment” attacks. IP version 4 (“IPv4”) supports header structures allowing fragmentation of IP packets. Notably, a fragmented packet (“fragment”) may be fragmented further, and there is no requirement that fragments arrive in order, or even that they arrive at all. In many stateless firewalls, fragments are summarily process by dropping them. However, fragments are useful when an intermediate router has to forward a packet that is larger than the maximum transmission unit (“MTU”) of an outgoing interface (“OIF”). Thus, by dropping fragments, information may be lost. Examples of stateless firewalls may be found integrated in low-end home gateway routers. In higher-end standalone or integrated stateful firewalls, more states are added to verify authenticity of a fragment. This approach facilitates use of devices with significant embedded memory limitations, using less memory than a fragment buffering and reassembly approach.
Accordingly, it would be desirable to have a stateful firewall that buffers and reassembles fragments.
It should be appreciated that whether or not NAT is used a table lookup is done for each packet. Thus, computational cycles are spent for each lookup and comparison of each five-tuple entry. Accordingly, a reduction in computational cycles for packet processing would be useful and desirable.